CICS Region Security for DCAS

Passtokens

A passtoken is a short-lived, single-use substitute for a password. In Enterprise Server for .NET, passtokens are objects that enable users to sign on with alternative credentials such as a certificate.

The DCAS passtickets required for certificate mapping are based on External Security Facility (ESF) passtokens. The only ESM module that supports passtokens is LdapEsm; therefore, ESF configuration must include at least one Security Manager that uses the LdapEsm module.

Region security for DCAS also includes configuration of ESF, and configuration of an LDAP server, and so you must also configure an LDAP server with security information for Enterprise Server for .NET.

If a region has a security configuration with multiple Security Managers, at least one of the Security Managers must support passtokens. Otherwise, DCAS cannot be used for that region. Whether the region has multiple Security Managers or only one, the first manager that supports passtokens handles passtoken requests.

Passtokens are not enabled by default. ESF passtokens must be enabled either globally or individually for each DCAS user.

You can enable passtokens using either of the following methods:

Set the LDAP microfocus-MFDS-User-CreateToken attribute

With LDAP-based security, passtokens can be enabled or explicitly disabled on a per-user basis by setting the microfocus-MFDS-User-CreateToken LDAP attribute to either self or any. If this attribute has any other value, the user cannot create or use passtokens. If it does not exist, the user can only create and use passtokens if they are enabled by default, as described below.

Note: In native Enterprise Server, the any setting also allows creation of surrogate passtokens; however these are not supported in Enterprise Server for .NET.

Configure the Security Manager to allow passtokens

By default, passtokens are disabled for users who are not enabled via the microfocus-MFDS-User-CreateToken LDAP attribute. To enable passtokens for these users, add the following to the Security Manager configuration:

[Passtoken]
Default=self

In addition, you can configure a Security Manager to entirely disable passtokens. To do so, add the following to the Security Manager configuration:

[Passtoken]
Enabled=no

Note: For more information about the microfocus-MFDS-User-CreateToken LDAP attribute, see LDAP Attributes.

The PTKTDATA resource class

DCAS uses the ESF PTKTDATA resource class to track access for certain users. A request to DCAS to obtain a passticket for a user includes a string known as an APPLID. Before granting the request, DCAS uses the region's security configuration to make an ESF query to determine if the requested user has Update access for a resource in the PTKTDATA class with the same name as the APPLID.

For example, to allow users in the SALES group to sign on using DCAS when passing the PROD APPLID. Import the following LDIF data to your LDAP repository:

# Create the PTKTDATA resource class
# This only has to be done once
dn: CN=PTKTDATA,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=X
changetype: add
objectClass: top
objectClass: container
description: DCAS security

# Let the SALES group sign on to APPLID PROD
dn: CN=PROD,CN=PTKTDATA,CN=Enterprise Server Resources,CN=Micro Focus,CN=Program Data,DC=X
changetype: add
objectClass: microfocus-MFDS-Resource
microfocus-MFDS-Resource-Class: PTKTDATA
microfocus-MFDS-Resource-ACE: allow:SALES group:update
microfocus-MFDS-Resource-ACE: deny:*:execute
microfocus-MFDS-UID: mfuid
description: Allow SALES to sign on to PROD using DCAS